Skip to main content

Ubuntu EUVDEUVD-2025-21159

| CVE-2025-48924 MEDIUM
Uncontrolled Recursion (CWE-674)
2025-07-11 security@apache.org GHSA-j288-q9x7-2f5v
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Ubuntu
MEDIUM
qualitative
SUSE
MEDIUM
qualitative
Red Hat
3.7 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 16, 2026 - 08:17 euvd
EUVD-2025-21159
Analysis Generated
Mar 16, 2026 - 08:17 vuln.today
CVE Published
Jul 11, 2025 - 15:15 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 565 maven packages depend on commons-lang:commons-lang (97 direct, 471 indirect)
  • 948 maven packages depend on org.apache.commons:commons-lang3 (366 direct, 587 indirect)

Ecosystem-wide dependent count for version 2.0 and other introduced versions.

DescriptionCVE.org

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

Analysis

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

Technical ContextAI

A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users. This vulnerability is classified as Uncontrolled Recursion (CWE-674).

RemediationAI

Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.

Vendor StatusVendor

Ubuntu

Priority: Medium
libcommons-lang-java
Release Status Version
trusty needs-triage -
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
upstream needs-triage -
questing needs-triage -
plucky ignored end of life, was needs-triage
libcommons-lang3-java
Release Status Version
bionic needed -
focal needed -
questing needed -
plucky ignored end of life, was needs-triage
jammy needed -
noble needed -
trusty needed -
upstream released 3.18.0
xenial needed -

Debian

Bug #1109126
libcommons-lang-java
Release Status Fixed Version Urgency
bullseye fixed 2.6-9+deb11u1 -
bullseye (security) fixed 2.6-9+deb11u2 -
bookworm fixed 2.6-10+deb12u1 -
trixie fixed 2.6-10+deb13u1 -
forky, sid fixed 2.6-12 -
(unstable) fixed 2.6-11 -
libcommons-lang3-java
Release Status Fixed Version Urgency
bullseye fixed 3.11-1+deb11u1 -
bullseye (security) fixed 3.11-1+deb11u2 -
bookworm fixed 3.12.0-2+deb12u1 -
trixie fixed 3.17.0-1+deb13u1 -
forky, sid fixed 3.17.0-2 -
(unstable) fixed 3.17.0-2 -

SUSE

Severity: Medium
Product Status
Container suse/manager/5.0/x86_64/server:5.0.5.1.7.33.2 Container suse/multi-linux-manager/5.1/x86_64/server:5.1.1.8.7.1 Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Image server-image Affected
SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SP6 SUSE Linux Enterprise Module for Basesystem 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Fixed

Share

EUVD-2025-21159 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy